The Information Commissioners’ Office’s new powers will allow it to be more proactive in the prevention of patient data breaches by foundation trusts, trust and GPs. Joanna Sharr, solicitor at Ridouts, explains how


Since 1 February, the ICO has had the power to carry out compulsory audits of NHS organisations to review how they handle patients’ personal information.

Previously such audits were only applicable to central government departments.

The change follows ICO criticism of how the NHS deals with patient data and permits the office to be more pro-active in its approach to the health service.

Data failure

The NHS holds vast amounts of personal data, often of the most sensitive kind.

Yet the commissioner described it as among the worst organisations in its management and safeguarding of data, leading NHS organisations to have been subject to £1.3m in fines.

As with other bodies that process personal information, NHS organisations are subject to the Data Protection Act 1998.

They must comply with the eight principles that underpin the act. Personal information must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with individuals’ rights;
  • secure; and
  • not transferred to other countries without adequate protection.

Powered up

The role of the ICO is to uphold information rights in the public interest and to promote openness by public bodies and data privacy for individuals in accordance with the principles of the act. 

To this end it has rights of inspection and enforcement conferred on it under the act, as well as under other pieces of legislation including the Freedom of Information Act 2000.

Until 1 February, the ICO could levy fines on NHS organisations for failings in how they held patients’ personal data. It could also undertake audits of NHS organisations, but only with their consent. 

‘NHS organisations to have been subject to £1.3m in fines by the ICO’

The ICO’s right to carry out compulsory audits was previously limited to central government departments, but has now been extended to NHS providers. This includes foundation trusts, trusts and GP surgeries, and their equivalent bodies in Scotland, Wales and Northern Ireland. 

The new powers do not apply to private companies that provide healthcare, even those providing such services on behalf of the public sector.

The ICO can now review how NHS organisations handle the personal information of patients, and consider specific areas such as staff training, data security and records management.

Prevention, not cure

Current information commissioner Christopher Graham has been critical of the NHS’s approach to the handling of patient information and has welcomed the new powers conferred on his office.

In particular, Mr Graham has emphasised how the new powers will allow the ICO to “force our way in to the worst performing parts of the health sector… [and] act before a breach happens.”

“The new powers don’t apply to private companies providing healthcare services on behalf of the public sector”

His comments signal a change in its relationship with the NHS, from a body that is concerned principally with taking enforcement action after a data breach has occurred, to being proactive and seeking to prevent a data breach occurring in the first place. 

Early indications from the ICO suggest this is not be something the health service should be fearful of.

Nevertheless, NHS bodies should be aware of the ICO’s new powers and ensure that they are compliant with the principles of the Data Protection Act 1998 before they are audited under the new regime.

Joanna Sharr is a solicitor at Ridouts